idnits 2.17.1 draft-eastlake-tsig-sha-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 148. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure Invitation. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 4 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 113 has weird spacing: '...mmended sha...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2004) is 7224 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 3645' is mentioned on line 183, but not defined == Missing Reference: 'RFC 2931' is mentioned on line 180, but not defined == Missing Reference: 'FIPS 180-1' is mentioned on line 174, but not defined == Missing Reference: 'RFC 3174' is mentioned on line 177, but not defined == Unused Reference: 'FIPS 180-2' is defined on line 154, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS 180-2' ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) Summary: 13 errors (**), 0 flaws (~~), 9 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT HMAC-SHA TSIG Identifiers 3 Donald E. Eastlake 3rd 4 Motorola Laboratories 5 Expires: December2004 July 2004 7 HMAC SHA TSIG Algorithm Identifiers 8 ---- --- ---- --------- ----------- 9 11 Status of This Document 13 By submitting this Internet-Draft, I certify that any applicable 14 patent or other IPR claims of which I am aware have been disclosed, 15 or will be disclosed, and any of which I become aware will be 16 disclosed, in accordance with RFC 3668. 18 This draft is intended to be become a Proposed Standard RFC. 19 Distribution of this document is unlimited. Comments should be sent 20 to the author. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that 24 other groups may also distribute working documents as Internet- 25 Drafts. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than a "work in progress." 32 The list of current Internet-Drafts can be accessed at 33 http://www.ietf.org/1id-abstracts.html 35 The list of Internet-Draft Shadow Directories can be accessed at 36 http://www.ietf.org/shadow.html 38 Abstract 40 Use of the TSIG DNS resource record requires specification of a 41 cryptographic message authentication code. Currently identifiers 42 have been specified only for the HMAC-MD5 and GSS TSIG algorithms. 43 This document specifies identifiers for additional HMAC SHA TSIG 44 algorithms. 46 Table of Contents 48 Status of This Document....................................1 49 Abstract...................................................1 51 Table of Contents..........................................2 53 1. Introduction............................................3 55 2. Algorithms and Identifiers..............................4 57 3. IANA Considerations.....................................5 58 4. Security Considerations.................................5 59 5. Copyright and Disclaimer................................5 60 6. References..............................................5 61 6.1 Normative References...................................5 62 6.2 Informative References.................................6 64 Author's Address...........................................7 65 Expiration and File Name...................................7 67 1. Introduction 69 [RFC 2845] specifies a TSIG Resource Record that can be used to 70 authenticate DNS queries and responses. This RR contains a domain 71 name syntax data item which names the authentication algorithm used. 72 [RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for 73 authentication codes using the HMAC [RFC 2104] algorithm with the MD5 74 [RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an 75 identifier for TSIG authentication where the cryptographic operations 76 are delegated to GSS [RFC 3645]. This document specifies additional 77 names for TSIG authentication algorithms based on US NIST SHA 78 algorithms, HMAC, and truncation. 80 2. Algorithms and Identifiers 82 TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS 83 queries and responses. They are intended to be efficient symmetric 84 authentication codes based on a shared secret. (Asymmetric signatures 85 can be provided using the SIG RR [RFC 2931]. SIG(0) can be used for 86 transcation signatures.) Used with a strong hash function, HMAC [RFC 87 2104] provides a way to calculate such symmetric authentication 88 codes. The only specified HMAC based TSIG algorithm identifier has 89 been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321]. 91 The use of SHA-1 [FIPS 180-1, RFC 3174], which is a 160 bit hash as 92 compared with the 128 bits for MD5, and additional hash algorithms in 93 the SHA family [FIPS 180-2, RFC sha224] with 224, 256, 384, and 512 94 bits, may be preferred in some case. Use of TSIG between a DNS 95 resolver and server is by mutual agreement. That agreement can 96 include the support of additonal algorithms. 98 In some cases, it is reasonable to truncate the output of HMAC and 99 use the truncated value for authentication. Since the syntax for TSIG 100 algorithm identifiers is that of a domain name, this is indicated in 101 these identifiers by a leading decimal lable which gives the 102 truncated length in bits. Because the DNA protocol is byte oriented, 103 such truncated lengths would normally be a multiple of 8. When 104 truncation occurs, the bits used are the initial bits, trailing bits 105 being discarded. 107 For completeness in relation to HMAC based algorithms, the current 108 HMAC-MD5.SIG-ALG.REG.INT identifier is included in the table below. 109 [FIPS 180-2, RFC sha224] 111 Mandatory HMAC-MD5.SIG-ALG.REG.INT 113 Recommended sha1 114 Recommended 96.sha1 115 Optional sha224 116 Optional 168.sha224 117 Optional sha256 118 Optional 192.sha256 119 Optional sha384 120 Optional 320.sha384 121 Optional sha512 122 Optional 448.sha512 124 3. IANA Considerations 126 This document, on approval by IETF Consensus [RFC 2434], registers 127 the new TSIG algorithm identifiers listed in Section 2 with IANA. 129 4. Security Considerations 131 For all of the message authentication code algorithms listed herein, 132 those producing longer values are believed to be stronger. 134 See Security Considerations section of [RFC 2845]. 136 5. Copyright and Disclaimer 138 Copyright (C) The Internet Society 2004. This document is subject to 139 the rights, licenses and restrictions contained in BCP 78, and except 140 as set forth therein, the authors retain all their rights. 142 This document and the information contained herein are provided on an 143 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 144 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 145 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 146 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 147 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 148 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 150 6. References 152 6.1 Normative References 154 [FIPS 180-2] - Secure Hash Standard, (SHA-1/256/384/512) US Federal 155 Information Processing Standard, Draft, 1 August 2002. 157 [RFC 1321] - The MD5 Message-Digest Algorithm, R. Rivest, April 1992. 159 [RFC 2104] - HMAC: Keyed-Hashing for Message Authentication, H. 160 Krawczyk, M. Bellare, R. Canetti, February 1997. 162 [RFC 2434] - Guidelines for Writing an IANA Considerations Section in 163 RFCs, T. Narten, H. Alvestrand, October 1998. 165 [RFC 2845] - Secret Key Transaction Authentication for DNS (TSIG), P. 167 Vixie, O. Gudmundsson, D. Eastlake, B. Wellington, May 2000. 169 [RFC sha224] - "A 224-bit One-way Hash Function: SHA-224", R. 170 Housley, December 2003, draft-ietf-pkix-sha224-*.txt. 172 6.2 Informative References. 174 [FIPS 180-1] - Secure Hash Standard, (SHA-1) US Federal Information 175 Processing Standard, 17 April 1995. 177 [RFC 3174] - US Secure Hash Algorithm 1 (SHA1), D. Eastlake, 3rd, P. 178 Jones, September 2001. 180 [RFC 2931] - DNS Request and Transaction Signatures ( SIG(0)s), D. 181 Eastlake. September 2000. 183 [RFC 3645] - Generic Security Service Algorithm for Secret Key 184 Transaction Authentication for DNS (GSS-TSIG), S. Kwan, P. Garg, J. 185 Gilroy, L. Esibov, J. Westhead, R. Hall, October 2003. 187 Author's Address 189 Donald E. Eastlake 3rd 190 Motorola Laboratories 191 155 Beaver Street 192 Milford, MA 01757 USA 194 Telephone: +1-508-786-7554 (w) 195 +1-508-634-2066 (h) 196 EMail: Donald.Eastlake@motorola.com 198 Expiration and File Name 200 This draft expires in December 2004. 202 Its file name is draft-eastlake-tsig-sha-03.txt